How to Establish Defense in Depth for Building Automation Systems

April 13, 2021

In previous articles we have discussed how building automation systems have become a soft target for cyberattacks. This is caused by the large numbers of intelligent devices connected over open networks, sophisticated threats designed to attack control systems, as well as dependency on third-party service providers connecting to the systems remotely over the internet.

In this article, we will focus on the steps needed to appoint a leader, convene a team and establish a defense in depth designed to protect these important systems. The process may face unusual challenges as buildings and building automation systems are used and supported by many stakeholders including owners, tenants, service providers, occupants and visitors. Within the enterprise, tensions over cybersecurity may exist between IT and Facilities as knowledge and priorities confound cooperation.

A paper published by the US Department of Energy in March 2020 identifies that half of all commercial buildings have intelligent building control devices connected to the Internet, and almost 95 percent have no disaster recovery plan. Out of this, a full 40 percent report that their building automation systems have been targeted. These numbers are staggering given the important role that large buildings play in the world today.

Fortunately, there are a number of excellent cybersecurity frameworks that can be applied to create a defense in depth for building automation systems. Standards bodies, government agencies and quality organizations have all developed these methodologies and made them available at no cost to their constituents. These important frameworks mostly follow a common defense in depth approach covering physical, technical and administrative functions.

Because all of the popular frameworks are capable of improving security, selecting one over the other is usually not too critical. The more important question is how to deploy any framework within the context of large and complicated smart buildings. The deployment journey characteristically begins by appointing a leader (or volunteer) who will establish a team of stakeholders to work together to select, tailor and operate the framework. Leaders of these teams often come from the tenant’s Facility or IT organization. Either approach will work as long as the leader is capable of managing the team while working cooperatively with a variety of stakeholders with different backgrounds.

In addition to leadership, the make-up of most teams includes IT staff familiar with networks, servers and Internet connectivity, as well as Facility experts familiar with building automation systems, electrical and mechanical systems. Often, there will be a combination of regular active team members and a number of part-time stakeholders. This creates a core team and an extended team lead by the tenant, and also encompasses the building owner plus vendors who service the systems. In addition to IT and Facility staff, it is a best practice to recruit a cybersecurity expert to the team. Often this person has an IT background along with extensive training and experience working in cybersecurity. In most organizations cybersecurity experts are in short supply, and if this is the case, then hiring a local contractor may be the best solution. While some frameworks are now recommending a single leader with a combination of IT, OT and cybersecurity expertise, in reality this combination of skills is extremely rare, and it is unreasonable to expect that one individual will be an expert in all of these disciplines. So, while it would be ideal to find a person like this, it is far more likely that there will be a single leader from one discipline aided by team members with complimentary skills.

Enlisting vendors to join the team may produce a negative reaction. Lease agreements, service contracts, fear of liability and lack of expertise often creates barriers. Concerns over cybersecurity can cause even good vendors to pause or wave-off participation. However, if a vendor is essential to implementing the framework and establishing a defense in depth, then it is the responsibility of the team leader to explain and press the supplier for their cooperation. The goal should always be to inform and include, though if this approach does not deliver results then pressure should be brought, including replacing uncooperative vendors. New construction or a new lease is a special case because it is the time when contracts are open for negotiation and when building owners and systems integrators are most receptive to designing systems with cybersecurity as a central requirement.

The most common category of building is professional office space. Large companies often lease offices across the country and many do so around the globe. These remote buildings play host to hundreds of employees and frequently lack onsite IT. Facility support is usually provided by third parties. In cases like this, corporate IT or Facilities will need to establish the defense in depth framework from afar by establishing a virtual team of local service providers and by using cybersecurity automation. Vigilance and care are necessary because flat WAN networks can join remote offices to corporate-wide enterprise networks.

During the time that a framework is being established, it is also essential to deploy cybersecurity automation systems. Automation and modern IT infrastructure will provide the team with the means to detect and prevent or detect and respond to threats automatically. Automation also reduces labor, making it possible to improve security even across large, complex and remotely managed systems. The best cyber automation platforms also include reports which follow the structure and terminology of the popular frameworks.

Whether the team is local or engaged remotely, it is a best practice to meet each month to review the status of the defense and any emerging threats. This is done using the defense in depth framework and automated reporting as a guide. A regular meeting cadence will also strengthen the resolve of the team to continuously improve and remain vigilant.

Beyond regular meetings it is important to have a process at the ready to manage cyberattacks when they occur. Rehearsal and planning are the best ways to minimize damage from an attack. Knowing who to contact and how to react is a well-proven approach that will save time, money and liability. Once an attack has been contained, having a verified recovery procedure will be priceless. For extreme situations, it is advisable to have an executive escalation process which may entail contacting senior leadership, public relations, legal representatives, customers and law enforcement. Ideally, these more extreme situations will be avoided through preemptive planning and teamwork.

If you have any questions about this post, including specific frameworks to use for a defense in depth approach, you can reach out anytime here. In the next post, we will dive into system features designed to minimize vulnerabilities. We will also discuss recommendations for working with integrators to ensure that systems are secure by default.